Most businesses have underestimated the amount of work they will need to do, to achieve compliance with the GDPR. Significant changes will need to be made to both business processes and the automated processing of customer and employee data.
Microsoft Dynamics 365 implements many of the requirements of the GDPR and presents an opportunity both for business transformation and for a more coherent data architecture.
However, when choosing a development partner for this project, businesses should ensure that their partner has GDPR, business and Dynamics 365 expertise.
In May 2018 the EU General Data Protection Regulation (GDPR) will become law. The penalties for businesses that don’t comply with it are severe, and could even spell the end of the business.
Furthermore, the government has confirmed that Brexit will have no effect – the GDPR will come in as planned.
SMEs – the small and medium sized enterprises that are the backbone of UK economic activity – are the least prepared for the huge change in data protection law heading their way. Yet the new regulation will affect every business, from the home-working sole trader, to the multinational company.
So what’s going to be different, and what can businesses do to ensure that they are compliant?
Most SMEs are compliant with the current Data Protection Act. But they haven’t taken on board the step-change that the GDPR represents. The new regulations shift the focus to the rights that individuals have over their data.
Businesses will have to prove that privacy has been designed into their systems at every stage and that the system default is for privacy protection to be activated.
They will have to show that customers have consented to their data being collected, that only data relevant to the task has been collected and that the data hasn’t been stored for longer than necessary.
The Information Commissioner’s Office, which will regulate compliance with the GDPR, has pointed to the much wider definition of ‘personal data’ that will apply.
While much of this data will be covered already by the Data Protection Act, some of it won’t.
For example, an IP address would not previously have counted as personal data – now it will.
The GDPR applies to manual filing systems too and personal data that has been allocated pseudonyms, which can now also be included under the new regulations, if the pseudonyms are easy to link back to a specific person.
What will SMEs need to do?
SMEs will have to audit all the personal data they hold, both manual and in data sets, including items such as IP addresses, that are included in the new regulation.
They will need to know for how long they have held the data, what consent was given at the time, what the data is used for, whether they have collected more data than they need for their purposes, and whether they have a reason to continue to hold it. The regulations for children’s data are even tougher.
SMEs will need to be able to demonstrate that they have business processes in place that can implement the new rights individuals have to their data.
Individuals will be able to:
• Access their own personal data and make corrections to it
• Erase their data
• Object to processing of their personal data
• Export their data
In effect, ownership of data has passed from businesses to individuals. The individual gives the business permission to use the data for a specific purpose, and to store it only for as long as that purpose is valid.
Under GDPR businesses will have to comply with a number of notifications and controls. They must:
• Use appropriate security to protect personal data
• Immediately notify any breaches of personal data protection
• Get the person’s consent to processing their data
• Keep documentation giving details of all data processing
Simply auditing current personal data use, checking past records and customer consents, then carrying out a gap analysis against the GDPR is a major project.
For many SMEs, the GDPR will involve designing a completely new and different set of business processes around data, to enable them to comply with users’ rights.
For example, the right to data portability. In a scenario where a customer informs a business organisation that they require all their data exported to a competitor business, the mechanisms for complying will need to be in place.
Businesses must be able to prove that they have designed customer data protection into all of their systems and policies – that it isn’t just a bolt-on consisting of a few passwords for instance.
All systems must by default be in a protection status mode – the era of the ready-ticked box consenting to personal details being used for another purpose, is over. Transparency is a key requirement of GDPR.
This signifies that organisations have to alert people when they are about to collect their data and inform them of exactly what they are going to do with it and why.
They must have clear policies around how long data will be kept and when it will be deleted.
A challenge of the magnitude of Y2K
Many commentators are comparing the GDPR challenge with the Y2K issues at the turn of the century. During that period, government organisations mounted a huge campaign to publicise Y2K, there has been relatively little publicity about GDPR, leaving many businesses woefully under prepared.
This is against a backdrop of changes in which the penalties for breaches are now much harsher. If a business doesn’t comply with the regulation, it will face fines of up to twenty million euros, or 4% of turnover – whichever is higher.
Not responding to a request from an individual promptly enough, or not following the business privacy statement, can land a business in a lot of trouble.
All employees will likely require training, and larger businesses may need to create a post of a data protection officer. Vendor contracts must also be compliant with GDPR.
It’s easy for businesses to concentrate their efforts on customers and users, that they neglect GDPR compliance of their employees.
It is vital that all employee records are factual and that HR is not holding any personal comments or information they would not wish the employee to see. This may involve trawling back through archived paper files.
Businesses are advised to consider switching to a Customer Relationship Management database.
The leading example is Microsoft Dynamics 365 which is being increasingly widely adopted not only in business, but also in government.
One of the primary reasons for this move to Dynamics is that it implements much of the GDPR compliance on behalf of the organisation, out-the-box.
Dynamics 365 takes account of how the GDPR will categorise personal data and implements industry-leading security, driven by up-to-date privacy policies. Reducing risk for the business is a key mitigation against non-compliance.
With Dynamics, a business can centralise every piece of personal data in one place. There won’t be manual lists replicating names held on spreadsheets, cross-referencing to customer records. If the data is customer centric, it will be available in the Dynamics 365 CRM system, and solely in that system.
Dynamics 365 controls data access
Dynamics 365 provides real control over who can access what data. The business can limit what any user can see or do, control records or restrict access right down to field level. This gives an important extra control over sensitive information, such as names and addresses.
The ability to define roles and manage the privileges attached to any role, significantly increases the protection of personal data.
One of the key risks in organisations is typically in a scenario where an employee transitions into a new role often without having their privileges updated. This could enable the employee to have far more control of data than they necessarily should have. With CRM’s fundamental role in management facilities, this risk is removed.
Dynamics 365 uses Azure Active Directory to manage user and group authorisation, which gives simple and effective control over user privileges. Sign-in can be made extremely secure through the use of “Multi-factor authentication”.
This adds a second layer of authentication to the user login – somewhat similar to the dongles or passcodes that people use to access their bank accounts.
For example, employees can download an app onto their phones. When they log in, a pass code is sent to the phone, and they enter this to CRM as their second level of authentication.
When data is flowing between the business and Microsoft’s data centres, it is encrypted. It’s no big surprise that Microsoft is a major partner in the government’s Cyber Security Strategy.
Dynamics 365 is built using a software development process called Security Development Lifecycle which implements security protection at every point in the software design process.
While authorisation is used to give users access to CRM, data security is used to keep them out of parts of the database they shouldn’t be able to see. The business can attach security policies to some of the user roles and then further restrict access to transaction data.
Moving to Dynamics 365 provides businesses with the opportunity to both streamline their data architecture and to adapt their business processes to ensure compliance with GDPR.
GDPR says that businesses must evidence their compliance and a cleaner, tighter data structure can make documenting compliance much simpler.
Microsoft has committed itself to GDPR compliance in its cloud services by May 2018 and is even providing assurances around GDPR in its contract commitments. The emphasis is now on privacy, security, transparency and compliance.
Businesses will be able to respond to user requests to delete, correct or amend data. The system will detect breaches of personal data, and report them to the business.
Importantly, the new commitment states that a business will be able to demonstrate its compliance using Microsoft’s system. That’s quite a few of the GDPR business process headaches solved – providing that is, that all the data is within the Dynamics 365 CRM system.
What to look for in a Dynamics 365 and GDPR partner – The business will need a partner that fully understands the business impact of the changes that GDPR will bring, and the seriousness of non-compliance.
Businesses have to be able to implement Dynamics 365 in tandem with redesigning business processes to work with the new system. This means that they need to understand the business and how it has used data in the past, and will use it in the future.
They must be able to seize the opportunity to make the business more efficient as well as more secure.
The solution partner also needs to understand the data protection and security features in Dynamics 365 to ensure the business gets full benefit from them.
The business and the partner will have to agree on the “triggers” that will be implanted in the system to detect and report data breaches.
Beyond this, they need to understand business features such as “double opt-in” (where the user fills in a form on a web site, then receives an email with a confirmation link that they must click to activate their sign-up). This represents good practice for the business in data protection terms.
The partner should also apply best practice processes themselves, by documenting what they did in terms of data protection when they were implementing the system. They should show that they did not introduce risk during the development process, for example during testing.
The move to the Dynamics 365 CRM system may need a Privacy Impact Assessment to be prepared and signed off before the project’s start date.
If GDPR is viewed as a business transformation opportunity, rather than a compliance threat, the result may well be a more secure, efficient and lean organisation.